From 11fc85e2b98e7a51b1fd6648eec3f293cc1ddadf Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Tue, 7 Apr 2026 10:32:34 +0200
Subject: [PATCH] fix: log access_token claims and audience mismatch during
 OIDC exchange

Helps diagnose whether rolesClaim path matches the actual token structure.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../com/cameleer3/server/app/security/OidcTokenExchanger.java  | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
index 93d71430..34d2512c 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
@@ -122,10 +122,13 @@ public class OidcTokenExchanger {
                 String audience = config.audience() != null ? config.audience() : "";
                 JWTClaimsSet atClaims = decodeAccessToken(accessTokenStr, config.issuerUri(), audience);
                 if (atClaims != null) {
+                    log.info("OIDC access_token claims: {}", atClaims.getClaims().keySet());
                     roles = extractRoles(atClaims, config.rolesClaim());
                     if (!roles.isEmpty()) {
                         log.info("OIDC roles from access_token: {}", roles);
                     }
+                } else {
+                    log.info("OIDC access_token audience mismatch (expected='{}')", audience);
                 }
             } catch (Exception e) {
                 log.debug("Could not decode access_token as JWT: {}", e.getMessage());